Four Cybersecurity Resolutions for 2017

2016 was a big year for cybersecurity news, most of it not terribly encouraging. Still, the year did present the cybersecurity industry with several teachable moments that I believe all security professionals should heed as we move into a new year. Accordingly, I’ve made four New Year’s resolutions for the cybersecurity industry in 2017. If any of these items are not on your “to do” list for 2017, I would challenge you to add them.

1.Move Beyond Passwords

I touched on this topic in my previous column, but it’s an important problem that has resolutions available today, so it’s worth repeating. It’s time to stop using the username/password model for identity authentication. The pitfalls of passwords are very familiar to security professionals: Users employ the same username/password combination for all of their accounts, meaning that once hackers have it, they can potentially access all of a user’s accounts. And thanks to many successful attacks, stolen usernames and passwords are readily available online. There are alternative ID verification methods, like multifactor authentication and biometrics, already being used throughout the digital ecosystem; so let’s collectively resolve to put the insecurity and frustration of usernames and passwords behind us in 2017.

2.Make Sure the Security and Management Teams Understand Each Other

Explaining this one requires a quick hypothetical (though common in cybersecurity) situation. Asked by his CEO to provide a “state of the union” report on the company’s network security, a CSO develops a report that, in the interest of being thorough and minimizing his exposure, exhaustively captures every potential vulnerability. He shares it with the CEO, who can’t make sense of it. Why? Because the CSO hasn’t provided the information and context necessary to make business decisions about cybersecurity. Could all of the threats listed actually have a material impact on the business? Do they all require immediate attention or a significant spend to fix? Do they even need to be addressed? This is the kind of information the CEO and board need in order to make decisions about cybersecurity that could affect other departments in the organization. If you’re in cybersecurity and have previously created some sort of status update about your network’s security posture, go back and read it again; but this time, read it as if you were a layman or non-technical executive. If the report doesn’t give you a clear understanding of where network security is today, where it needs to be tomorrow, and what it will take to get there, you need to adjust the way you present your findings to better suit your audience.

3.Join a Threat Intelligence Sharing Group

The surge in cyberattacks in recent years has led to a tsunami of threat intelligence data that leaves most security organizations struggling just to keep up with the number of inbound threat alerts, let alone analyze them to identify the significance of their threat to the network. The only reasonable way to handle this much data is to automate the process of identifying threats, determining the proper fix and then implementing it. And to automate this process, the cybersecurity industry needs to work collectively and share the workload of analyzing threats and developing appropriate countermeasures. There are many methods for sharing threat intelligence, be they the ad hoc sharing of threat data between industry colleagues or a company officially joining an organized industry consortium devoted to threat intelligence sharing, like the Cyber Threat Alliance. I’ll leave it to the reader to determine which approach makes sense for your organization, but this kind of collaborative effort is vital as the cybersecurity industry works to make our digital way of life secure and reliable.

4.Be Kind to Your Level 1 SOC Operator

One of those overlooked but vital professions, the level one SOC operator, is literally on the front lines of the ongoing war between black and white hats in cyberspace. They are responsible for identifying and mediating cyberattacks before they occur, and in the case of a successful cyberattack, the first person to receive blame for it. If that pressure weren’t enough, they’re also the security team members tasked with managing the threat data tsunami I described above. So the next time you see your favorite SOC operator, take a moment to tell him or her how much you appreciate their team’s work and how important it is to the ongoing success of your organization.

Scott Simkin is a Senior Manager in the Cybersecurity group at Palo Alto Networks. He has broad experience across threat research, cloud-based security solutions, and advanced anti-malware products. He is a seasoned speaker on an extensive range of topics, including Advanced Persistent Threats (APTs), presenting at the RSA conference, among others. Prior to joining Palo Alto Networks, Scott spent 5 years at Cisco where he led the creation of the 2013 Annual Security Report amongst other activities in network security and enterprise mobility. Scott is a graduate of the Leavey School of Business at Santa Clara University.